| Message ID | 1397855070-4480-8-git-send-email-rodrigo.vivi@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 4/19/2014 2:34 AM, Rodrigo Vivi wrote: > From: Chris Wilson <chris@chris-wilson.co.uk> > > Make sure that the whole BDB section is within the MMIO region prior to > accessing it contents. That we don't read outside of the secion is left > up to the individual section parsers. > > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> > Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com> > --- > drivers/gpu/drm/i915/intel_bios.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c > index fc9e806..2945f57 100644 > --- a/drivers/gpu/drm/i915/intel_bios.c > +++ b/drivers/gpu/drm/i915/intel_bios.c > @@ -49,13 +49,19 @@ find_section(struct bdb_header *bdb, int section_id) > total = bdb->bdb_size; > > /* walk the sections looking for section_id */ > - while (index < total) { > + while (index + 3 < total) { > current_id = *(base + index); > index++; > + > current_size = *((u16 *)(base + index)); > index += 2; > + > + if (index + current_size > total) > + return NULL; > + > if (current_id == section_id) > return base + index; > + > index += current_size; > } > Reviewed-by: Shobhit Kumar <shobhit.kumar@intel.com>
On Thu, Apr 24, 2014 at 09:23:24PM +0530, Kumar, Shobhit wrote: > On 4/19/2014 2:34 AM, Rodrigo Vivi wrote: > >From: Chris Wilson <chris@chris-wilson.co.uk> > > > >Make sure that the whole BDB section is within the MMIO region prior to > >accessing it contents. That we don't read outside of the secion is left > >up to the individual section parsers. > > > >Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> > >Signed-off-by: Rodrigo Vivi <rodrigo.vivi@gmail.com> > >--- > > drivers/gpu/drm/i915/intel_bios.c | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > >diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c > >index fc9e806..2945f57 100644 > >--- a/drivers/gpu/drm/i915/intel_bios.c > >+++ b/drivers/gpu/drm/i915/intel_bios.c > >@@ -49,13 +49,19 @@ find_section(struct bdb_header *bdb, int section_id) > > total = bdb->bdb_size; > > > > /* walk the sections looking for section_id */ > >- while (index < total) { > >+ while (index + 3 < total) { > > current_id = *(base + index); > > index++; > >+ > > current_size = *((u16 *)(base + index)); > > index += 2; > >+ > >+ if (index + current_size > total) > >+ return NULL; > >+ > > if (current_id == section_id) > > return base + index; > >+ > > index += current_size; > > } > > > > Reviewed-by: Shobhit Kumar <shobhit.kumar@intel.com> Queued for -next, thanks for the patch. -Daniel
diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c index fc9e806..2945f57 100644 --- a/drivers/gpu/drm/i915/intel_bios.c +++ b/drivers/gpu/drm/i915/intel_bios.c @@ -49,13 +49,19 @@ find_section(struct bdb_header *bdb, int section_id) total = bdb->bdb_size; /* walk the sections looking for section_id */ - while (index < total) { + while (index + 3 < total) { current_id = *(base + index); index++; + current_size = *((u16 *)(base + index)); index += 2; + + if (index + current_size > total) + return NULL; + if (current_id == section_id) return base + index; + index += current_size; }